Vulnerabilities in digital collectible contracts lead to permanent lock-up of 34 million USD, highlighting the importance of security audits.

Recently, a security company discovered two serious vulnerabilities in a digital collectible contract. These vulnerabilities could result in user assets being locked or the project party's funds being unable to be withdrawn.

The first vulnerability exists in the refund processing function. This function refunds all users in a looping manner, but if a certain user is a malicious contract, they may refuse to accept the refund and interrupt the transaction, causing the refund operations for all users to fail. Fortunately, this vulnerability has not been exploited in practice.

To avoid similar issues, it is recommended that the project party take the following security measures:

1. Restrictions only allow individual user accounts to participate in the project.
2. Use ERC20 tokens instead of native assets
3. Design a mechanism for users to actively apply for refunds, rather than batch refunds.

The second vulnerability is caused by a logic error in the code. In the function for extracting project funds, there is a conditional statement, but the object of comparison is incorrect. This results in the condition never being met, and the project party cannot extract assets from the contract. Currently, over 34 million dollars worth of assets are permanently locked in this contract.

These issues once again highlight that even well-known projects can make basic mistakes. During the development process, thorough testing and basic security awareness are crucial. Although security audits have become standard practice in the decentralized finance sector, they are still lacking in digital collectibles projects. This negligence has directly led to significant financial losses.

This incident reminds us that regardless of the scale of the project, we should prioritize code security, conduct comprehensive testing and audits to prevent similar significant losses from occurring again.